April 23, 2007; 07:00 AM WhiteHat Security, the leading provider of website vulnerability
management services, today released the second installment of its Web
Application Security Risk Report, which details 15 months of
vulnerability assessment data across a variety of real- world websites.
The report unveils the top 10 website vulnerabilities facing
enterprises, and identifies Web application security trends across
financial, e-commerce, healthcare, and high-tech industries. The
WhiteHat Report provides enterprises with a clear picture of current
website security issues and details best practices for defending against
potential attacks.
WhiteHat Security's research confirms that the Web application layer
requires proactive security as the number one target for malicious
online attacks. In its December 2006 report, WhiteHat found that eight
out of every 10 websites are vulnerable to attack. The Company's recent
findings now indicate that one out of every three websites has an
urgent vulnerability issue that could put online data and corporate
brand identity at risk. The most prevalent vulnerability continues to
be Cross-Site Scripting (XSS) with seven out of 10 websites being
affected, followed by Information Leakage and Content Spoofing. SQL
Injection and Insufficient Authorization also remain on the top 10
list, and if undiscovered can result in serious repercussions regarding
highly sensitive information.
The WhiteHat Report notes a slight decrease in technical
vulnerabilities such as XSS and SQL Injection. This may indicate that
organizations are beginning to address the growing number and severity
of website attacks. However, logical vulnerabilities such as
insufficient authorization, where an attacker gains unauthorized access
to protected sections of a website, have not decreased. This can be
attributed in part to the fact that scanners alone do not pick up flaws
affecting business logic and remediation may be more difficult. In
order to ensure effective and complete vulnerability assessments, it is
key to have security experts working in conjunction with the scanners.
This combined approach unearths items that scanners are not equipped to
catch and serves as a stronger safeguard in protecting against attacks.
As the issue of Web application vulnerability increases in severity and
importance across industries, more enterprises have implemented
WhiteHat Security's Sentinel Service to address their Web application
security needs. WhiteHat Sentinel comprehensively and continuously
assesses hundreds of real- world production and development websites
per month to obtain a one-of-a-kind perspective into website
vulnerability trends. As the only company with access to cumulative
data of this magnitude and depth, WhiteHat is sharing its findings to
provide enterprises with an all-encompassing view of the various
attacks their websites may be susceptible to.
WhiteHat utilizes the Web Application Security Consortium (WASC) Threat
Classification of 24 Web application vulnerability classes as its
standard. This ensures comprehensive coverage of all known types of
vulnerabilities. WhiteHat's approach to website vulnerability
management combines a human component with patent-pending,
enterprise-class scanning technology for identification of technical
vulnerabilities, verified results to eliminate false positives, and
custom testing with multiple user-levels to reveal business logic flaws.
"We are thrilled to reveal our second quarterly risk report offering
further clarity on prevalent vulnerabilities affecting websites today,"
said Jeremiah Grossman, founder and chief technology officer at
WhiteHat Security. "These statistics continue to provide an in-depth
view of the attack landscape that enterprises currently face. As the
amount of sensitive data housed online continues to grow, WhiteHat is
committed to educating companies on how to proactively protect their
websites through complete website vulnerability management."
WhiteHat plans to issue continued installments of the Web Application
Security Risk Report on a quarterly basis. To ensure the report remains
useful and relevant, WhiteHat incorporates feedback and ideas from
leading industry thought leaders and influencers. Based on feedback
already received, plans for future reports include: comparing website
technology and frameworks; comparing vertical markets; average
remediation times by vulnerability; trend vulnerability
increases/decreases over time; and attack surface ratios of inputs to
vulnerabilities.
About WhiteHat Security, Inc.
Headquartered in Santa Clara, California, WhiteHat Security is a
leading provider of website vulnerability management services. WhiteHat
delivers turnkey solutions that enable companies to secure valuable
customer data, comply with industry standards and maintain brand
integrity. WhiteHat Sentinel, the company's flagship service, is the
only solution that incorporates expert analysis and industry-leading
technology to provide unparalleled coverage to protect critical data
from attacks. For more information about WhiteHat Security, please
visit our website, http://www.whitehatsec.com/.
|